You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Dave Cottlehuber <da...@muse.net.nz> on 2012/01/18 10:54:52 UTC

Re: [Poll] Proposed: Code (.jar/.msi/binaries) Signing Service Offer

> On 12/5/2011 11:52 AM, William A. Rowe Jr. wrote:
> > On the subject of signing jars, Windows binaries and .msi installer
> > packages, it seems that infra-dev is partial to the ability to revoke
> > package signatures if an artifact is not released or is found to have
> > been corrupted, and that the code signing service from Symantec /
> > VeriSign / Thawte is the way to go here.
> >
> > I spoke with Richard and Dean who confirmed that this service would
> > be offered at no cost to the ASF.  User accounts would be as one of two
> > roles, an administrator (root-ish) level and a publisher (committer)
> > who needs to sign packages.  There is no integration at present for
> > PAM style authentication into our ldap, or SSO solution in this
> > specific service so we would have to create accounts for each committer
> > who is doing signed binary releases.
> >
> > It is batch-able and can be automated.  Obviously there is some work
> > around setting up that functionality, but it can run on the signers
> > own PC as opposed to a central repository.  Here's a background paper
> > on the code signing portal itself;
> >
> > http://www.verisign.com/code-signing/information-center/resources/code-signing-portal.pdf
> >
> > It is due a major revision entering(or already in?) beta.  That version
> > introduces support for .jar signing in addition to Win binary/msi signing.
> > I asked  and they are researching whether Apache could be invited to
> > participate in the beta, since we would only just be getting up to speed
> > by the time that portal version launches.
> >
> > One major step would be for Sam, who is both our Legal VP and Infra VP,
> > to review the actual agreement/paperwork in detail and determine that
> > it would be something we are able to sign.  Dean, could you forward that
> > to Sam, even as we all learn more about the service and come to a decision
> > of whether we should adopt it or not?
>
> What say we?
>
> Has everyone interested had an opportunity to raise any questions already?
>
> I'm +1 here, this seems like the straightest line, and I would love to start
> investigating how to automate using their API.  I'd like to see if we can't
> jump aboard their beta for .jar signing, too.
>
> Are those interested in .jar signing/ant, maven integration ready to take
> a look at this?
>

Yup, I am interested in this for CouchDB for msi/exe signing. We don't yet
do MSI packaging but it's not far off.

Thanks
Dave
dch@a.o